This PoC program implements a process injection technique using Windows NT system calls:
- NtCreateSection
- NtMapViewOfSection
- RtlCreateUserThread
Download NtMapViewOfSection PoC: Download
-
Setup:
- Takes a target PID as a command-line argument
- Defines a shellcode array
-
NTDLL Access:
- Loads ntdll.dll and gets function pointers for NtCreateSection, NtMapViewOfSection, and RtlCreateUserThread
-
Section Creation:
- Creates a 4096-byte memory section with NtCreateSection
- Sets it with execute/read/write permissions
-
Memory Mapping:
- Maps the section into the current process with read/write permissions
- Maps the same section into the target process with execute/read permissions
- This creates a shared memory region between processes
-
Injection:
- Copies the shellcode into the local mapped section
- Since the section is shared, this makes it available in the target process
-
Execution:
- Creates a new thread in the target process using RtlCreateUserThread
- Sets the thread's starting address to the shellcode location
- The shellcode executes in the target process's context
-
Cleanup:
- Closes all handles to prevent resource leaks
- rustc 1.85.1 (4eb161250 2025-03-15)
- Rust toolchain (stable-x86_64-pc-windows-msvc (default))
- Target process PID
cargo run --release <Target PiD>Author: @5mukx